Why incident response planning is growing in importance

Incident response is rising in importance—2018 seems to be “the year of IR.” Every major security vendor and service provider have been creating webinars and white papers about IR, and almost every organization is talking about it from the boardroom to the breakroom.

Why has IR become such a hot button topic in 2018? Just a few years ago, many of the organizations shoring up their IR today would not have been willing to spend the time and money to develop a useful plan, let alone test and improve it regularly.

Fortunately, or perhaps unfortunately, the last couple of years have played a large role in bringing boards and executives around to the importance of a solid and dependable IR plan. For better or worse, healthcare has become a target of criminal attacks and the irrefutable evidence can no longer be ignored by those in the ivory tower, and now it’s time to strike while the iron is hot. This means there is no better time to approach the board and executives to impart the criticality of a well-crafted IR and disaster recovery (DR) plan.

While most of the healthcare industry is at a “sweet spot” right now for awareness, especially at the upper levels of managements, it still requires a good, solid business case to sell it properly. Most executives are business-focused (as they should be), even in a not-for-profit organization the executives speak in terms of money, and that is how the IT and InfoSec teams need to sell it.

A silver lining to the massive uptick in attacks that healthcare has seen means there is no shortage of available data and statistics that will get the boards attention. One of the most impactful is the cost of downtime, according to Gartner the average cost of an outage is $ 5,600 per minute.

To put that in perspective, this varies based on many organizational factors, but on the low-end, downtime costs $ 140,000 per hour, $ 300,000 on average and over $ 500,000 on the high end. These numbers alone should be enough to get the reluctant executive’s attention, but if you need more, a simple Google search—or a read through the headlines at Health Data Management—will garner plenty more ammunition.

IR is an issue that scales far beyond the IT and InfoSec areas of an organization and those that only focus on IT are hit the hardest. An incident is a big deal, it will cause interruptions in the ability to provide care, to perform timely billing, and could even cause harm to patient safety, among countless other repercussions.

What about the organization’s public image? Is the PR/communications leadership just going to let rumor fly on social media? Or are they going to get in front of an incident with a planned media release? How about supply chain management? Most hospitals do not have enough supplies on-hand to last more than a day with the modern long thin supply chain.

It would not be a difficult task to keep listing all of the things that are not directly affected by IT but are heavily impacted by an incident, but hopefully the picture is clear—IR is not an IT issue alone. In many cases, these non-IT roles will balk at their need to be in an IR exercise or to participate in the development of IR/DR plans. But if they can be convinced to attend an IR exercise (even a small internal one) for even just an hour, they will never miss another one and will have plenty to say from that point forward.

The key is to make it plain as day as to how an incident, and the proper planning to deal with one, has a major impact on every single aspect of the organization without exception. Anyone that does not see that does not take their role seriously and maybe they need to be replaced.

While this article doesn’t go into the details of how to make a successful IR program, how to actually test IR, or even much into what an IR plan really is, it hopefully shows why an IR program is so important. In most organizations there is an IR and/or DR plan in place, but it is often outdated and has no input from crucial players in the organization.

The challenge here is to pull out that IR plan, look at it and start to ask the tough questions. It will not take long to start poking holes in even the most robust IR plan. Once they are found, start showing these holes to those that will be affected (preferably outside of IT/InfoSec) and ask them how they think it should be handled. The more support that can be gathered outside of IT and InfoSec, the more likely the leadership is going to be willing to listen.